IpSec - poor performance in one direction
-
Greetings all,
I am running into an ipSec performance issue and cannot pin-point the cause. I have two sites connected via ASA-5505 and pfSense 1.2.3-RELEASE using an ipSec tunnel. The tunnel is active and we can ping/copy data between sites with no problem. However, copying data from Site-A site to Site-B over the tunnel seems to be capped at 750Kb/sec while copying data from Site-B to Site-A copies at appropriate speeds (4Mbps up/down). In addition, if I copy data form Site-A to Site-B without using the ipSec tunnel (sftp via NAT port forwarding on pfSense firewall), traffic copies at the appropriate speed.
Whats strange is if I copy files from Site-B to Site-A outside the ipsec tunnel (port forward SSH), the data is copied at the appropriate speed. So, it appears something is throttling the ipsec tunnel from Site-B to Site-A. A crude picture looks like this:
SITE-A Internet Cloud SITE-B
/–----------------------\ /----------------\ /--------------------------
|Sun-Server <--> ASA-5505 |<==========|== ipSEC TUNNEL ==|=========>| pfSense <--> Sun-Server |
------------------------/ ----------------/ --------------------------/So, in summary:
-
Site-A to Site-B via ipSec tunnel = slow
-
Site-B to Site-A via ipSec tunnel = fast
-
Site-A to Site-B outside ipSec tunnel = fast
Any ideas?
-
-
You can try tweaking the settings for scrub, and setting a lower MTU on the WAN, but what you are seeing is a fairly common complaint when hooking up to Cisco gear.
-
Thanks Jim. What scrub settings should I look for? I have done this exact config in the past and don't remember any speed-related issues like this. Perhaps my ASA config needs to be tweaked slightly…
-
Under System > Advanced there is a checkbox to disable/enable scrub.
-
Thanks, but that did not change anything.
But, I did find something odd. If I changed the WAN MTU to 1400 on the ASA, I can no longer copy large files from the ASA to the pfSense network over the VPN tunnel. In fact, I changed both ends (ASA and pfSense) to 1400 and could not get an scp (secure copy) from the ASA side to the pfSense side. This seems very strange to me. I had to change the ASA side back to 1500 to get traffic running again.
Does this ring a bell? Is this a known behavior?
-
Sounds familiar, but sadly I don't recall the specifics offhand. You may need to do a packet capture on the IPsec interface and look at it in wireshark to get a better idea of what is happening.
-
Thanks Jim. Let me see what I can find…
-
Just to follow-up on this…
Turns out, the internet link was 10M/768K instead of 4M/4M. So, pfSense and the Cisco ASA were working exactly as they should worked.
Thanks again Jim for all the help/pointers...